API tools faq
paste
Guest User

forcewall.sh

a guest
May 30th, 2021
165
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.79 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2.  
  3. SPECIAL_ADDRS='255.255.255.255/32 240.0.0.0/4 233.252.0.0/24 224.0.0.0/4 203.0.113.0/24 198.51.100.0/24 198.18.0.0/15 192.168.0.0/16 192.88.99.0/24 192.0.2.0/24 192.0.0.0/24 172.16.0.0/12 169.254.0.0/16 127.0.0.0/8 100.64.0.0/10 10.0.0.0/8 0.0.0.0/8'
  4.  
  5. # ---
  6.  
  7. umask 0022
  8.  
  9. [ $EUID != 0 ] && echo run as root! && exit
  10.  
  11. # ---
  12.  
  13. if [ "$1" == "-F" ]; then
  14.   iptables -F; iptables -t nat -F; iptables -P INPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -P OUTPUT ACCEPT; iptables -nvL; iptables -t nat -nvL
  15.   chattr -f -i /etc/resolv.conf; echo nameserver 1.1.1.1 > /etc/resolv.conf; chattr -f +i /etc/resolv.conf
  16.   exit
  17. fi
  18.  
  19. # ---
  20.  
  21. apt update
  22. apt install tor
  23.  
  24. # ---
  25.  
  26. iptables -F; iptables -t nat -F
  27. iptables -P INPUT DROP; iptables -P FORWARD DROP; iptables -P OUTPUT DROP
  28.  
  29. # ---
  30.  
  31. iptables -A INPUT -m state --state INVALID -j DROP
  32. iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
  33. iptables -A INPUT -i lo -j ACCEPT
  34. iptables -A INPUT -j DROP
  35.  
  36. # ---
  37.  
  38. iptables -A FORWARD -j DROP
  39.  
  40. # ---
  41.  
  42. iptables -A OUTPUT -m state --state INVALID -j DROP
  43. iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
  44.  
  45. iptables -A OUTPUT -p udp -d 127.0.0.1 --dport 9053 -j ACCEPT
  46. iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 9040 --syn -j ACCEPT
  47.  
  48. iptables -A OUTPUT -p tcp -m owner --uid-owner debian-tor -m state --state NEW --syn -j ACCEPT
  49. iptables -A OUTPUT -o lo -j ACCEPT
  50.  
  51. for special_addr in $SPECIAL_ADDRS; do
  52.   iptables -A OUTPUT -d $special_addr -j DROP
  53. done
  54.  
  55. iptables -A OUTPUT -j DROP
  56.  
  57. # ---
  58.  
  59. iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination='127.0.0.1:9053'
  60. iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 --syn -j DNAT --to-destination='127.0.0.1:9040'
  61.  
  62. iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner debian-tor --syn -j RETURN
  63. iptables -t nat -A OUTPUT -o lo -j RETURN
  64.  
  65. for special_addr in $SPECIAL_ADDRS; do
  66.   iptables -t nat -A OUTPUT -d $special_addr -j RETURN
  67. done
  68.  
  69. iptables -t nat -A OUTPUT -p tcp --syn -j DNAT --to-destination='127.0.0.1:9040'
  70.  
  71. # ---
  72.  
  73. ip6tables -F; ip6tables -t nat -F
  74. ip6tables -P INPUT DROP; ip6tables -P FORWARD DROP; ip6tables -P OUTPUT DROP
  75. ip6tables -A INPUT -j DROP; ip6tables -A FORWARD -j DROP; ip6tables -A OUTPUT -j DROP
  76.  
  77. # ---
  78.  
  79. iptables -nvL; iptables -t nat -nvL
  80.  
  81. # ---
  82.  
  83. {
  84.   echo DNSPort 127.0.0.1:9053
  85.   echo AutomapHostsOnResolve 1
  86.   echo AutomapHostsSuffixes .onion
  87.   echo
  88.   echo TransPort 127.0.0.1:9040
  89.   echo VirtualAddrNetwork 10.192.0.0/10
  90. } > /etc/tor/torrc && systemctl restart tor
  91.  
  92. # ---
  93.  
  94. chattr -f -i /etc/hosts.allow && > /etc/hosts.allow && chattr -f +i /etc/hosts.allow
  95. chattr -f -i /etc/hosts.deny && echo ALL:ALL > /etc/hosts.deny && chattr -f +i /etc/hosts.deny
  96. chattr -f -i /etc/resolv.conf && echo nameserver 127.0.0.1 > /etc/resolv.conf && chattr -f +i /etc/resolv.conf
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!